Apple vows crackdown on the use of developer certificates to create fake apps

News by Jay Jay

Apple says it will terminate enterprise developer certificates immediately when it determines that they have been misused either by big tech firms or rogue developers.

Developers can find their apps suddenly don't work if Apple revokes their developer certificate (Pic: Vector Cookies/Getty Images)

Apple has officially taken cognizance of rogue app developers who are using Apple-issued enterprise certificates to build hacked versions of popular and legitimate apps such as Minecraft, Spotify, Angry Birds and Pokemon.

The enterprise certificates that these rogue developers are exploiting for their personal gain are the ones that have been granted by Apple to enable enterprises to create in-house apps for their employees. The use of such certificates is also officially the only way enterprises can create apps and distribute them outside of the official App Store.

A recent report from Reuters revealed that these certificates are now being misused by certain rogue developers to build hacked versions of popular and legitimate iOS apps. These apps are, in turn, being distributed to iOS device users through software distributors such as TutuApp, Panda Helper, AppValley and TweakBox.

The rogue developers have also been trying to raise the demand for their duplicate apps by allowing users to avail themselves of ad-free experiences without paying any premium, avoid paying fees when using paid apps and circumvent rules in popular games.

The use of duplicate apps that allow people to use premium apps for free also allows such rogue developers to pocket the entire revenue generated by these apps without having to share anything with Apple.

Even though Apple cannot prevent the misuse of enterprise developer certificates without cancelling the concept altogether, a spokesperson from the Cupertino-based technology giant told Reuters that Apple will terminate enterprise certificates as soon as it finds out that they are being misused.

"Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action," said the spokesperson.

Apple also hinted that it would soon introduce two-factor authentication in all developer accounts to ensure that enterprise developer certificates issued by it will only be used by genuine developers for declared purposes.

Earlier this month, Apple revoked enterprise developer certificates granted to Facebook after it discovered that the certificates were used by Facebook to build its Facebook Research app, a highly-invasive app that collected detailed usage stats and data from devices used by people from all age groups, including teenagers.

"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organisation. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.

"Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data," an Apple spokesperson said, days before the certificates were restored following discussions between the two technology giants.

Commenting on the use of Apple-issued enterprise developer certificates by rogue developers to create hacking apps, Jake Moore, cyber-security specialist at ESET UK, told SC Magazine UK that this type of misuse is constantly evaluated but it could still cause a headache for both Apple and its users, let alone legitimate app makers.

"Developer certificates created to bypass the app store will always hold some sort of risk, as opposed to how Apple usually vets all apps for general consumer consumption. Introducing two-factor authentication will eradicate the majority of this risk but the best way of mitigating the problem would be to have modified apps go through Apple’s vigorous vetting process before being able to be used," he added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews